Accepting request 196609 from home:lnussel:branches:devel:openSUSE:Factory

- also include old openSUSE 4096 bit certificate to be able to still boot kernels signed with that key. - add show_signatures script OBS-URL: https://build.opensuse.org/request/show/196609 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=38
2013-08-28 09:32:58 +00:00 · 2013-08-28 09:32:58 +00:00 · f83d4083f6
commit f83d4083f6
parent e60c1a0266
4 changed files with 77 additions and 4 deletions
--- a/openSUSE-UEFI-CA-Certificate-4096.crt
+++ b/openSUSE-UEFI-CA-Certificate-4096.crt
@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
+blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
+bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
+EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz
+MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
+BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv
+amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8
+YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN
+z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh
+O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/
+w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf
+RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM
+ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx
+ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg
+i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i
+EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH
+CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg
+4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ
+DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79
+aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg
+Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w
+ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y
+Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu
+Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/
+phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD
+dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0
+nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD
+eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c
+sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO
+Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3
+BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG
+A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI
+xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp
+4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL
+-----END CERTIFICATE-----
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de
+
+- also include old openSUSE 4096 bit certificate to be able to still
+  boot kernels signed with that key.
+- add show_signatures script
+
 -------------------------------------------------------------------
 Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de

--- a/shim.spec
+++ b/shim.spec
@ -35,6 +35,8 @@ Source4:        SLES-UEFI-CA-Certificate.crt
 Source5:        extract_signature.sh
 Source6:        attach_signature.sh
 Source7:        show_hash.sh
+Source8:        show_signatures.sh
+Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 # PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
 Patch0:         shim-suse-build.patch
 # PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch glin@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert. 
@ -91,6 +93,7 @@ Authors:
 %build
 chmod +x "make-certs"

+cert2=''
 if test -e %{_sourcedir}/_projectcert.crt ; then
    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
@ -99,6 +102,7 @@ if test -e %{_sourcedir}/_projectcert.crt ; then
    if test "$prjissuer" = "$opensusesubject" ; then
        suffix=opensuse
        cert=%{SOURCE2}
+        cert2=%{SOURCE9}
    fi
    if test "$prjissuer" = "$slessubject" ; then
        suffix=sles
@ -116,10 +120,14 @@ if test -z "$suffix" ; then
 fi

 openssl x509 -in $cert -outform DER -out shim-$suffix.der
-# create empty local cert file, we don't need a local key pair as we
-# sign the mokmanager with our vendor key
-touch shim.crt
-touch shim.cer
+if [ -z "$cert2" ]; then
+	# create empty local cert file, we don't need a local key pair as we
+	# sign the mokmanager with our vendor key
+	touch shim.crt
+	touch shim.cer
+else
+	cp $cert2 shim.crt
+fi
 # make sure cast warnings don't trigger post build check
 make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null
 # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
--- a/show_signatures.sh
+++ b/show_signatures.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+# show signatures on a PE binary
+set -e
+
+infile="$1"
+
+if [ -z "$infile" -o ! -e "$infile" ]; then
+	echo "USAGE: $0 file.efi"
+	exit 1
+fi
+
+nssdir=`mktemp -d`
+cleanup()
+{
+	rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
+pesign -n "$nssdir" -S -i "$infile"